Data access control mechanisms are used to restrict access to data within a data repository to authorized users. One common access control system is a Virtual Private Database (VPD). The VPD is a fine-grained access control mechanism that restricts users' access to specific instances of data stored in a common repository using application contextual information about the user and/or the session during which access is requested. When the data is stored in relational tables, access to specific rows in the table is controlled using a technique called query rewrite. This technique intercepts each user query and appends specific security conditions that filter out sensitive data that would otherwise be included in the result set of the query. The security conditions are dynamically generated based on the application context. The logic that generates appropriate security conditions for a given query is typically hand-coded by a security administrator. The security conditions that restrict users' access to data through standard query languages may be used to enforce restrictions for data manipulation (DML) operations.
VPD techniques, when applied to relational tables, restrict access to specific rows in the table by evaluating the security conditions on the corresponding rows. Often the security conditions are expressed using the columns defined in the table so that these conditions are evaluated in addition to any predicates in the WHERE clause of a user query. The security conditions may also make use of the application context to derive, for example, the employee's department number at the time of query execution, so that records relevant to the employee's department may be returned for the query. The same security condition, when in effect for DML operations, can be used to restrict users from performing unauthorized manipulation of data using SQL INSERT, UPDATE and DELETE statements. For example, a security condition can ensure that an INSERT operation by the user is accepted only if the security condition evaluates to true with the row being inserted. Similarly, an UPDATE operation on a row may be restricted if the security condition does not evaluate to true with the pre-update version of the row as well as the updated version of the row.
The relational data model is well suited for highly structured data with well-defined semantics, which are captured in the columns defined for the relational table. In contrast, graph data models, such as, for example, RDF data models are increasingly being used to store and manage graph data which is often less structured and less predictable than their relational counterparts. In addition, new data can be inferred from RDF data using inference engines and inference rules. In an RDF data model, the data is modeled as directed graphs and they are represented as a set of triples or statements. The nodes in the graph are used to represent two parts of a given triple, and the third part is represented by a directed link that describes the relationship between the nodes. In the context of an RDF statement, the two nodes are referred to as Subject and Object and the link describing the relationship is referred to as the predicate or Property.
Fine-grained security for relational data heavily leverages the concept of a row in enforcing the security policies that include restrictions on DML operations. The target of a DML operation on relational data is a row and the clearly defined boundaries of a row ensure that the user is unable to modify any value associated with the row if the security condition does not evaluate to true. In contrast, the notion of a row does not exist for the RDF data model and while the updates are performed at the triple level, the target of the DML, or graph manipulation, operation is a sub-graph that includes the set of triples being added or deleted and likely multiple other sets of triples.